Cyber Race
IT security poses enormous challenges for companies. Technical dependence is growing. Cyber attacks or other IT security incidents can threaten the existence of a company. In addition, the timely implementation of regulatory requirements often causes headaches.
Aitava helps you prepare your company for current challenges and regulatory requirements and efficiently minimize the risk of damage.
Legal Requirements
German Act on the Federal Office for Information Security (BSI Act) / NNIS2 Directive
- NIS 2 (EU Directive 2022/2555 on measures for a high common level of cybersecurity across the Union) is to be implemented by October 17, 2024 and will lead to a comprehensive revision of the BSI Act, among other things
- Extension of the scope of application to companies with at least 50 employees or an annual turnover or annual balance sheet total of more than EUR 10 million; in addition, special cases regardless of size
- An enormous catalog of obligations for taking measures, including with regard to the supply chain
- Extended reporting requirements for security incidents with specific deadlines
- Cybersecurity as a management responsibility; management can be held personally responsible for violations
- Fines of up to EUR 10 million or 2% of the previous year’s global revenue
Cyber Resilience Act
- Will be in effect 2027
- Scope of application: products with digital elements; obligated persons: manufacturers, distributors and importers
- High cybersecurity requirements for product launches
- Monitoring of digital products throughout their entire life cycle
- Provision of free updates
- Reporting cyberincidents to the EU’s cybersecurity agency ENISA
- Mandatory conformity procedure for critical products
- Fines of up to €15 million or 2.5% of the previous year’s revenue
Digital Operational Resilience Act (DORA)
- To be implemented by the financial industry by January 17, 2025
- Financial companies and so-called critical ICT service providers (e.g. system-relevant cloud providers) will be required to do so; the latter will in future be monitored directly by EBA, ESMA or EIOPA
- Numerous obligations that go beyond the previous regulatory requirements (MaRisk, BAIT, KAIT, ZAIT, VAIT, etc.), particularly with regard to ICT risk management, the classification and reporting of security incidents, and the testing of measures
- Extended obligations for managing risks from the use of ICT service providers – this affects practically all IT management of third parties, not just outsourcing
- The supervisory authority can take numerous measures to eliminate violations, including prohibiting the use of certain ICT services from ICT service providers
Further examples of sector-specific obligations
- Various regulatory requirements for IT security in healthcare, including for hospitals (Section 391 of the German Social Code Book V (SGB V)) and statutory health insurance companies (Section 392 SGB V), as well as for applications, components and services, e.g. for digital health applications (Section 139e para. 2 sentence 2 no. 2, para. 10 of the SGB V, Section 4 of the Digital Health Applications Ordinance (DiGAV), TR-03161 of the German Federal Office Information Security), the telematics infrastructure (Sections 306 para. 3, 311, 325, 327, 330 SGB V and requirements of gematik) and cloud services (Section 393 SGB V)
- Obligation to take appropriate technical and organizational precautions in the area of telecommunications law to protect the privacy of telecommunications, personal data and the security of telecommunications networks and services (Sections 165, 167 of the German Telecommunications Act (TKG) and the catalog of security requirements established by the Federal Network Agency)
- Requirement for digital service providers to take appropriate technical and organizational precautions to protect user information and the security of the service (Section 19 of the Geman Telecommunicvations-Telemedia Data Protection Act (TDDDG))
GDPR
- Obligation to implement appropriate technical and organizational data security measures (Art. 32 GDPR)
- Documentation of the measures taken is required.
- The responsible party must understand, document and verify the security measures of their processors.
- Reporting requirements to supervisory authorities and, if applicable, affected parties in the event of certain security incidents
- Statements and publications by data protection authorities that specify certain minimum standards must be taken into account.
- Fines of up to EUR 20 million or 4% of the previous year’s global revenue
… and many other requirements. Horizontally and sectorally.
- Aitava cuts through the confusion and provides support for all your IT security and data protection needs.
- We remove stumbling blocks and drive the development of best practices. We can draw on many years of experience in providing technical and legal advice in the regulated IT environment.
Prevention of cyber risks
Contract Design
Contractual provisions are intended to allocate IT security risks (including liability, compliance and evidentiary risks) and reduce legal uncertainties in the internal relationship between two or more contracting parties. A particular challenge is often the tension between individual (possibly regulatory) customer requirements and the standardized processes and contractual terms of IT service providers.
Aitava assists with all agreements related to IT security and data protection. From one-pagers to 250-page books. And beyond.
IT security standards
“State of the art” is the central term in IT security law. This must be determined by technical standards (including ISO / IEC 27001). Depending on the application, industry-specific security standards (B3S) and authority notifications must also be observed. Determining and verifying the relevant IT security standards presents technical and legal challenges.
Aitava helps you. Interdisciplinary. From a single source.
Training Programs
Aitava offers company specific training at the highest level. We deliver the skills that are right for your organization in compact, customized sessions. We give you important ideas and show you best practices that you can implement and develop on your own.
We focus on your individual needs: from introductory workshops to in-depth special topics. On-site and virtual. Interactive if you like. With a passion for the subject.
Emergency Preparation
Good preparation is half the battle. Companies should set themselves up in such a way that the relevant people, especially in management and also in the supply chain, are optimally prepared for an emergency. So that everyone knows what to do. This applies equally to cyber attacks and data protection incidents.
Aitava provides you with comprehensive support in developing, testing and implementing an emergency plan. An emergency plan is only as good as its actual implementation. Thanks to our many years of practical experience in cyber risk issues, we are familiar with the everyday organizational, technical and legal pitfalls. We provide you with important insights. Pragmatically and personally.
Emergency Assistance
- Identification and defense against acute hazards
- Protection of backups
- Comprehensive preservation of evidence
- Maintaining business-critical processes
- Timely reporting to authorities
- Internal and external crisis communication, in particular coordination with the police, insurance companies and contractual partners
- Measures against attackers
- Enforcement of claims
Aitava provides you with comprehensive support in emergencies. So that all the necessary crisis measures are taken at the right time. Without losing sight of the big picture.